Security Management Strategies for the CIOIs the era of the e-mail worm officially over?
No, not entirely. Floppy, boot-sector viruses are essentially gone and the e-mail-only worm is
gone. But it has morphed now into the blended threat. You look at many of the most recent worms --
Klez, Magistr, Bugbear -- all of them attacked multiple avenues like open network shares, e-mail,
IM [instant messaging]. Propagation is high unless enterprises protect all those vectors. That's
the challenge, especially with having a lot of mobile workers and business partners with network
access. Where does the perimeter end these days? What's the biggest threat to an enterprise? The
malicious code writer, cumbersome software patches or the bogged down administrator?
It's a combination of all really. The volume of updates an administrator faces is potentially in
the hundreds. How do they know which are more important to address? Traditionally, it's been done
on a risk-rating system. Match the vulnerability to your assets. Track the risk of an attack. If it
can be leveraged against your assets, then it's a liability that needs to be addressed.
Then they have to deal with the stability of fixes and patches. Many administrators would rather wait for a service pack than apply a hotfix to a system or application. It's a safer route. But the question is, do they have enough time to wait for a service pack? That notion that they may have a year or two to get a patch up and running is no longer the case. The
Requires Free Membership to View
challenge is often to get the
patch out on multiple systems, servers and, if your enterprise is large enough, your 500,000
desktops worldwide. With recent zero-day exploits, you just don't have that time anymore. Are virus
and worm writers still dictating this cat-and-mouse game?They prey on new technologies, like wireless, like PDAs. They learn from past mistakes and yes, enterprises play catch-up in these areas. Virus writers often use existing exploit technology and continue to exploit what others have had success with. Antivirus technology, meanwhile, is mostly signature-based. But there is behavior-blocking technology and we've had a lot of success against worms using heuristics.
We've seen the motivation factor change for virus and worm writers. Virus and worm writers and
hackers used to be two different skill sets. That's no longer the case. They're often using the
same skills and using worms, for example, as early reconnaissance for a later attack. If there was
one issue or concern that enterprises express over and over, what would you say it is?
For enterprises, it's definitely information overload and manageability. 'They're saying, I'm
getting so much information from my IDS and other network logs, I don't know how to manage it.' You
cannot silo security. It's not just antivirus, or it's not just intrusion detection or firewalls. I
think you'll soon see a trend of consolidation of [firewalls, antivirus, intrusion detection and
intrusion prevention] into a single appliance. How many enterprises are actually aware of, or are
using, behavior-based defenses?
With technologies like behavior-based antivirus or intrusion prevention systems, it's often an
either-or thought. The answer is, however, that it's a combination of characteristics of both that
works best. A behavior-based system that can tell an administrator that it has detected an anomaly,
and by the way, it has also run a signature against it -- that's the best way to go. Enterprises
need the same thing for policies. That kind of flies in the face of the best-of-breed security
world.
Enterprises should have the best technology and services. Many companies right now have multiple
vendor technologies in their environments. They need to know how to understand it all and make the
right decisions. They need the right management system to tie things together. Our researchers said
that any given company can have up to 9.5 million security events, and of those, 600 are probably
actual attacks and 22 of those, serious breaches of their environment. It's not a needle in a
haystack anymore. It's a needle in a pile of needles you find in the haystack.
FOR MORE INFORMATION:
SearchSecurity.com coverage of RSA Conference 2003
SearchSecurity.com news exclusive: "CA exec: Security information overload plagues enterprises"
Best Web Links on security management
- FEEDBACK: How much of your work week is spent analyzing security log data?
Send your feedback to the SearchSecurity.com news team.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation